From 0168ce7ec39dc0212341dc683a770004cedb3694 Mon Sep 17 00:00:00 2001 From: Daira Hopwood Date: Thu, 22 Apr 2021 23:18:34 +0100 Subject: [PATCH] ZIP 316: corrections to minimum lengths. Signed-off-by: Daira Hopwood --- zip-0316.html | 4 ++-- zip-0316.rst | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/zip-0316.html b/zip-0316.html index e924386d..a70b2c4d 100644 --- a/zip-0316.html +++ b/zip-0316.html @@ -428,14 +428,14 @@ c^{n+m}}{q}\) \(y' \neq y\) , all four pieces are randomized. -

Note that the size of each piece is at least 11 bytes.

+

Note that the size of each piece is at least 24 bytes.

It would be possible to make an attack more expensive by making the work done by a Producer more expensive. (This wouldn't necessarily have to increase the work done by the Sender.) However, given that Unified Addresses may need to be produced on constrained computing platforms, this was not considered to be beneficial overall.

Efficiency

The cost is dominated by 4 BLAKE2b compressions for \(\ell_M \leq 128\) bytes. A UA containing a Transparent Address, a Sapling Address, and an Orchard Address, would have - \(\ell_M = 112\) + \(\ell_M = 128\) bytes. The restriction to a single Address with a given Typecode (and at most one Transparent Address) means that this is also the maximum length as of NU5 activation.

For longer UAs (when other Typecodes are added), the cost increases to 6 BLAKE2b compressions for \(128 < \ell_M \leq 192\) diff --git a/zip-0316.rst b/zip-0316.rst index 8ca7811f..3ff83609 100644 --- a/zip-0316.rst +++ b/zip-0316.rst @@ -539,7 +539,7 @@ A 4-round Feistel thwarts this and similar attacks. Defining :math:`x` and * if :math:`x' \neq x` and :math:`y' \neq y`, all four pieces are randomized. -Note that the size of each piece is at least 11 bytes. +Note that the size of each piece is at least 24 bytes. It would be possible to make an attack more expensive by making the work done by a Producer more expensive. (This wouldn't necessarily have to @@ -552,7 +552,7 @@ Efficiency The cost is dominated by 4 BLAKE2b compressions for :math:`\ell_M \leq 128` bytes. A UA containing a Transparent Address, a Sapling Address, and an -Orchard Address, would have :math:`\ell_M = 112` bytes. The restriction +Orchard Address, would have :math:`\ell_M = 128` bytes. The restriction to a single Address with a given Typecode (and at most one Transparent Address) means that this is also the maximum length as of NU5 activation.